Closed Hanmac closed 10 months ago
grooverdan
commented
10 months ago Its at this version because of https://github.com/tianon/gosu/issues/125
Per https://github.com/MariaDB/mariadb-docker/blob/master/SECURITY.md - not a vulnerability - check with govulcheck. I'm talking with Docker folks to do this so I don't get repetitive reports like this.
I notice there's a gosu-1.17 now and can test that. But probably not sufficient time before the release that is happening now.
Hanmac
commented
10 months ago there is also this gosu version that fixes some other vulerabilities https://github.com/checkout-anywhere/gosu/tree/master
grooverdan
commented
10 months ago Nope, they fell in the same trap you did. Just because there are golang vulnerabilities doesn't mean every go application build has all of those vulnerabilities.
Hanmac
commented
10 months ago Nope, they fell in the same trap you did. Just because there are golang vulnerabilities doesn't mean every go application build has all of those vulnerabilities.
My Problem there: the Image is scanned by an external Tool (not my choice) and if it find vulnerabilities high or critical, the image gets deleted
grooverdan
commented
10 months ago Added gosu 1.17 to the testing.
If it goes well, in ~2 weeks updates will be released with that.
in the meantime quay.io/mariadb-foundation/mariadb-devel:X.Y for images later than this comment will include gosu-1.17 (and whatever is finished being developed/fixed for the branch https://mariadb.org/new-service-quay-io-mariadb-foundation-mariadb-devel/).
MariaDb still uses gosu 1.14 in all their Dockerfiles, there are updated versions available
Asking Docker Hub shows this: 3 Critical, 36 High https://hub.docker.com/layers/library/mariadb/10.11/images/sha256-0547f59f5bd555d73ea86d13331e5d5cb8fb8ec9387b856bbf38228c0bbaf114?context=explore
building a new Image with gosu 1.17 shows this: no critical and no high